Solved: How to create a search that will trigger an alert ...

sravankaripe · ‎11-14-2016

I want to trigger an alert when the count is zero. please help me with the alert search?

btiggemann · ‎11-14-2016

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT"

View solution in original post

gcusello · ‎11-14-2016

Hi,
You should create a lookup containing all the values of the field to monitor (e.g. Host) and then run a search like this

In this way you have all the values of your lookup that don't have any result.

You also could add rangemap at the end of your search and show results in a graphic panel (see Splunk 6.0 Dashboard Examples App).

Bye.
Giuseppe

niketn · ‎11-14-2016

You can set the Count to 0 if no result found i.e. Count is null:

your base search yourField=* | stats count(yourField) as Count | eval Count=if(isnull(Count),0,Count) | table Count

Then set the Trigger Condition as Number of Results -> is equal to -> 0

For the same search as above you can also set Count to -1 in case you do not get any results, just to identify whether the count is actually 0 or null. Then set the Trigger Condition as Number of Results -> is less than ** -> **1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

btiggemann · ‎11-14-2016

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT"

jakeoftrades · ‎03-23-2022

hi, will it also satisfy the condition if for 3 counts which will trigger the alert by this ?

|where count<=03

I wonder in my case that I need to set a query that will trigger an alert which is (3 consecutive occurrence) in

the logs within a specific time period like (7am-8pm) . what query should I add up. thanks

somesoni2 · ‎11-14-2016

Just run your search and select "If number of result is less than 0" as alert condition.

sravankaripe · ‎11-14-2016

i want to display some fields if count less than one or no event occurs

somesoni2 · ‎11-14-2016

The count here is a field OR just the count of events (count of events can't be less than 0)? Could you provide a sample query/data/expected output? If you want to alert based on a field value (say field name is count), then you can use "Custom" as trigger condition and provide your condition.

How to create a search that will trigger an alert when the count is zero?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor